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Abstract. Given a theory T and two formulas A and B jointly unsatisfiable in T, a 
theory interpolant of A and B is a formula I such that (i) its non-theory symbols are 
shared by both A and B, (ii) it is entailed by A in T, and (iii) it is unsatisfiable with B in 
T. Theory interpolation has found several successful applications in model checking. We 
present a novel method for computing interpolants for ground formulas in the theory of 
equality. The method produces interpolants from colored congruence graphs representing 
derivations in that theory. These graphs can be produced by conventional congruence 
closure algorithms in a straightforward manner. By working with graphs, rather than at 
the level of individual proof steps, we are able to derive interpolants that are pleasingly 
simple (conjunctions of Horn clauses) and smaller than those generated by other tools. 
Our interpolation method can be seen as a theory-specific implementation of a cooperative 
interpolation game between two provers. We present a generic version of the interpolation 
game, parametrized by the theory T, and define a general method to extract runs of the 
game from proofs in T and then generate interpolants from these runs. 



1. Introduction 

The Craig Interpolation Theorem |Cra57j asserts, for every inconsistent pair of first-order 
formulas A, B, the existence of a formula I that is implied by A, inconsistent with B, and 
written using only logical symbols and symbols that occur in both A and B. Analogues 
of this result hold for a variety of logics and logic fragments. Recently, they have found 
practical use in symbolic model checking. Applications, starting with the work by McMil- 
lan |McM03j . involve computation of interpolants in propositional logic or in quantifier- free 
logics with (combinations of) theories such as the theory of equality, linear rational arith- 
metic, arrays, and finite sets [ McMOSbl IYM051 IKMZOej ICGS 08] . There are now several 
techniques that use interpolants to obtain property-driven approximate reachability sets of 
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transition relations, or compute refinements for predicate abstraction |McM05a| IMcM06t 
[JM051IJM06] . 

An important functionality in much of this work is the computation of ground in- 
terpolants in the theory of equality, also known as the theory of uninterpreted functions 
(EUF). The ground interpolation algorithm for this theory used in existing interpolation- 
based model checkers was developed by McMillan |McM05b] . It derives interpolants from 
proofs in a formal system that contains rules for the basic properties of equality. 

In this paper, which is a revised and expanded version of [FGG+09| . we present a novel 
method for ground EUF interpolation. We compute interpolants from colored congruence 
graphs that compactly represent EUF derivations from two sets of equalities, and can be 
produced in a straightforward manner by conventional congruence closure algorithms, as 
implemented in solvers for Satisfiability Modulo Theories {e.g., [DNS05, NO05J). Work- 
ing with graphs makes it possible to exploit the global structure of proofs to streamline 
interpolant generation. The generated interpolants are conjunctions of Horn clauses, the 
simplest conceivable form for this theory. In most cases, they are smaller and logically 
simpler than those produced by McMillan's method. 

We restrict ourselves to input formulas A and B that are just conjunctions of liter- 
als. Such a restriction causes no loss of generality because any interpolation procedure for 
conjunctions of literals can be extended in a uniform way to arbitrary ground formulas — 
and under the right conditions also combined with interpolation procedures for other theo- 
ries |McMn5bl [CGSMl K^KTOQ] . 

Our interpolation method can be understood as the implementation of a cooperative 
interpolation game between two provers. The game is not specific to the theory of equality 
and can be generalized to other theories. We present a general version of the interpolation 
game for a theory T and define a generic method to extract runs of the game from local 
refutations in T and generate interpolants from these runs. 

Our interpolation algorithm for EUF is described and proved correct in Q In Q 
we give a series of examples to highlight important aspects of the algorithm. A detailed 
comparison with McMillan's method is given in ^ together with experimental data on a 
set of benchmarks derived from those in the SMT-LIB repository [BSTllj . The general 
version of the interpolation game is described and proved correct in ^ 

1.1. Formal preliminaries. We work in the context of first-order logic with equality, and 
use standard notions of signature, term, literal, formula, clause, Horn clause, entailment, 
and so on. We use the symbol = to denote the equality predicate in the logic as well as 
equality at the meta-level, relying on context to disambiguate the two. For convenience, 
we treat all equations modulo symmetry, that is, an equation of the form s = t will stand 
indifferently for s = t or t = s. For terms or formulas we will use "ground", i.e., variable- 
free, and "quantifier-free" interchangeably since for our purposes free variables can be always 
seen as free constants. 

If S, Si, . . . , Sn are sets of sentences {i.e., closed formulas) and ip is a sentence, we 
write, as usual. Si, . . . ,Sn \= ip Si U ■ ■ ■ U Sn logically entails ip; we write Si, . . . ,Sn \= S 
if Si, . . . , Sn ^ i/' for all V' £ S. If T is a theory, understood as a set of sentences, we write 
S 1=7- ip as an abbreviation oi T U S \= ip. We use the literals true and false as logical 
constants denoting the universally true and the universally false formula. We say that a set 
of sentences S is T-unsatisfiable if S \=r false. 
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In FOL with equality, for any given signature U the theory EUF is axiomatized by 
the empty set of sentences. For convenience then, we write \= in place of \=euf and write 
"unsatisfiable" instead of "£'f/F-unsatisfiable" when talking about that theory. Also for 
convenience, we do not distinguish a finite set of sentences from the conjunction of its 
elements. 

2. Ground Theory Interpolation 

Interpolation is a property of logical fragments, i.e., classes of formulas with an associated 
entailment relation over such formulas. To state it for a fragment with entailment relation 
\=jr we need know only a partition of the symbols used to build formulas in into logical 
and non-logical symbols. 

Let J'{X) be the set of all formulas in whose non-logical symbols belong to some 
set X. By definition, T has the interpolation property if for every A G and 
B G J^{Y) such that A,B \=jr false, there exists / G T{X n Y) such that A \=jr I and 
B,I \=jr false. The formula I is an (J^-)interpolant of A and B. Note the asymmetry: 
/ is not an interpolant of B and A; however, -1/ is — provided it belongs to J-. 

A classic theorem by William Craig |Cra57j states that the fragment of all first-order 
logic formulas with the standard entailment relation has the interpolation property. (The 
non- logical symbols are predicate and function symbols, and free variables.) The result 
also implies a modulo theory generalization, where, for a given first-order theory T over 
a signature X!, the fragment J- is the set of all Z"- formulas together with the entailment 
relation \=t, and the symbols of U are treated as logical. The case where T and U are 
empty is Craig's original theorem. 

Of particular interest is the interpolation property for quantifier-free fragments of the- 
ories. The property may or may not hold, depending on the theory. Take, for example, the 
quantifier-free fragment of linear integer arithmetic, and let A = {x = 2y}, B = {x = 2z+l}. 
The set AuB is unsatisfiable in this theory, and the formula 3u.{x = 2u) is an interpolant. 
However, there is no quantifier-free interpolant for A and B. 

By definition, a theory has the ground interpolation property if its quantifier- 
free fragment has the interpolation property. Aside from EUF, several other theories of 
interest in model checking have this property, including the theory of rational arithmetic 
among others |KMZn6[ iJCGnS] . 

Example 2.1. The sets of inequalities A = {3x — z — 2 < 0, —2x + z — I < 0} and 
B = {3y — 4:Z + 12 < 0, —y -|- z — 1 < 0} are jointly unsatisfiable in the theory of rational 
arithmetic, as witnessed by the linear combination with positive coefficients 

2 • (3x - z - 2 < 0) 3 • {-2x + z - 1 < 0) + 1 ■ {3y - 4z + 12 < 0) + 3 ■ {-y + z - 1 < 0) 

which simplifies to 2 < 0. The A-part of this linear combination 2 • {3x — z — 2<0)-|-3- 
(— 2x + z — 1 < 0) gives us the interpolant / = {z — 7 < 0) for A,B. Generalizing what 
goes on in this example, one can obtain a ground interpolation procedure for the linear 
arithmetic with real coefficients. See, e.g., |CGS08j . □ 

By the following lemma, if we want an algorithm for ground T-interpolation, it suffices 
to have one that works for inputs A and B that are sets of ground literals. 

Lemma 2.2. Let T be a theory and suppose every pair of jointly T -unsatisfiable sets of 
literals has a quantifier-free interpolant. Then, T has the ground interpolation property. D 
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Figure 1: Solid (hollow) edges represent literals from the set A (set B) in Example 3.1 For 
the vertex coloring convention, see Example |4.5[ 



The reader is referred to |McM05bl ICGS081 IGKTOQj for effective proofs of the lemma — 
descriptions of a general mechanism to combine interpolation procedures restricted to sets 
of literals with a method for computing interpolants in propositional logic |Pud97| IMcM03j . 
With this justification, our interpolation method for EUF focuses on sets of ground literals. 



3. Interpolation in EUF 

It is instructive to look first at some examples of interpolants for pairs of literal sets A and 
B jointly unsatisfiable in EUF. 

Example 3.1. The picture in Figure [T]^a) demonstrates the joint unsatisfiability of 

A = {Zi= Xi, Xi = Z2, Z2 = X2, X2 = /{zs), /(zs) = X3, X3 = Zi, f{z2) = X2, X2 = Z3} , 

B = {zi= yi, yi = f{z2), f{z2) = y2, y2 = Z3, Z3 = ya, ^2 = y2, y2 = /(^s), 2/3 / z^} 

which follows by the transitivity of equality. An interpolant is the equality zi = Z4 that 
summarizes the transitivity ^-chain in the figure. For the variation in Figure [T|^b), which 
provides an alternative demonstration of the joint unsatisfiability of A and B, an interpolant 
is the conjunction zi = 2:2 A /(^^s) = Z4 A f{z2) = Z3 of summaries of ^-chains. 

For yet another variation, this time with slightly different sets A and B, modify Fig- 
ure [l|b) by moving the disequality sign to the edge (x3,Z4). There, an interpolant is 

Zl = Z2 A f{z3) Z4A f{z2) = Z3. □ 

Example 3.2. When the unsatisfiability of Au B involves the congruence property of =, 
an interpolant in the form of a conjunction of equalities need not exist. Let 

A = {ui = X ■ uq, vi = X ■ vq} and B = {uq = vq, ui / vi} 

where the dot is an infix binary function symbol. There are no equalities entailed by A that 
do not contain x. The transitivity chain ui = x ■ uq = x ■ vq = vi contradicts ui 7^ wi G B, 
but its middle equality is not entailed by A. However, A does entail it under the condition 
Uq = Vq that B provides. That gives us the interpolant uq = vq ^ ui = vi. 

Example 3.3. With 

A = {x = zi, X ■ Z2 = Z3} and B = {y = Z2, zi ■ y ^ Z3} 

pictured in Figure [2j we can derive false from the chain Z3 = x ■ Z2 = zi ■ y ^ Z3, where 
the congruence reasoning that produces the middle equality x ■ Z2 = zi ■ y uses an equality 
from A (x = zi) and an equality from B {z2 = y), and cannot be derived from either A 
or B alone. A simple split of the problematic equality into two produces a chain in which 
every literal follows from either A or B: Z3 = x ■ Z2 = zi ■ Z2 = zi ■ y ^ Z3. The summary 
23 = 2:1- Z2 of the ^-chain is and interpolant of A and B. The upshot here is that creating 
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Figure 2: The solid and the dashed arrows point to the two equahties oi A[J B that entail 



the equality x ■ Z2 = zi ■ y. (Example 3.3) 



an interpolant may require terms (in this case, zi ■ Z2) that do not occur in either A or B. 
See Lemma |46l below. □ 



4. Interpolants From Congruence Closure 

Efficient decision procedures for the satisfiability of sets of literals in EUF are typically 
based on congruence closure |NO801 PDNSOSl [NU05j . In this section, we show that one can 
minimally modify such procedures to produce interpolants as well. 



4.1. Congruence Closure. The congruence closure algorithm takes as inputs 

• a finite set E of ground equalities and 

• a finite subterm-closed set T of ground terms. 

Its state is an undirected graph G, initialized so that its vertex set is T and its edge set is 
empty. We write ti ~ 7; to mean that u and v are connected by a path in G. The algorithm 
proceeds as follows. 



(ccO) Let G = (T, 0) 

(ccl) Choose distinct s,t £ T such that s 9^ t and either 

(a) (s = t) G E; or 

(b) s is /(si, . . . ,Sfe), t is f{ti, . . .,tk), and si ~ ti, . . . , Sfc ~ tk- 
Then add the edge (s, t) to G 

(cc2) Repeat (ccl) for as long as possible. 

Theorem 4.1. [NOSOt |NO05] Let ~ be the equivalence relation obtained by running the 
congruence closure algorithm above. For every s,t £ T, one has E \= s = t if and only if 
s ~ t. Moreover, the set EU{s^t\s^t} is satisfiable. □ 

If L is an arbitrary set of ground EUF literals, let L = L= U L^, where L= and 
consists respectively of the equalities and disequalities of L. To check whether L is 
satisfiable, it suffices to run the congruence closure algorithm with E = L= and T consisting 



of all the terms (and subterms) occurring in L. By Theorem 4.1 , L is satisfiable if and only 
if s 7^ t holds for every disequality s ^ t in L^. Conversely, L is unsatisfiable if and only if 
L= U {6} is unsatisfiable for some 5 £ L^. 
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4.2. Congruence Graphs. For any finite set E of ground equalities and a finite subterm- 
closed set T of ground terms, a congruence graph over E and T is any intermediate 
graph G obtainable by the congruence closure algorithm above. We will not mention the 
term set T when it is understood or unimportant. 

The assumption s 9^ f in Step (ccl) ensures that every congruence graph is acyclic. 
Thus, if ~ f in a congruence graph G, there is a unique path connecting them. We 
denote this path by uv. Empty paths are those of the form uu. 

We call an edge of a congruence graph G basic or derived depending on whether it has 
been introduced in G respectively because of Condition (a) or Condition (b) of Step (ccl). 
A derived edge {f(ui, . . . , Uk), f{vi, . . . , Vk)) has k parent paths uivi,. . . ,UkVk, some (but 
not all) of which may be empty. 

Example 4.2. Each of the graphs in Figures [T] and [2j when we delete from it the edge 
marked with the 7^ symbol, is a congruence graph over the corresponding set of equalities 
{A U B)=. All edges in these graphs are basic; in Figure [2| a derived edge between the 
nodes x ■ Z2 and zi ■ y could be added as a consequence of the basic edges pointed to by the 
arrows. □ 

Example 4.3. Let E = {AU B)= where 

A = {Xl= Zl, Z2 = X2, Z3 = f Xl, f X2 = Zi, X3 = Z5, Zq = X4, Zj = f X3, f X4, = Zg} , 
B = {zi = Z2, Z5 = f Zs, f Zi = Z6, yi = Z7, Zs = y2, yi 7^ y2} ■ 

Figure |3]^b) depicts a congruence graph over E. The basic edges are shown in Figure [3|^a); 
each corresponds to an equality in E. Since / is unary, each of the three derived edges has 
one parent path. □ 



4.3. Colorable Congruence Graphs. Let A and B be sets of ground literals and let Ea 
and Ub be the sets of non-logical symbols that occur in A and B, respectively. Terms, 
literals, and formulas over Ea will be called ^-colorable, those over Ub will be called 
-B-COLORABLE. Such expressions will be called colorable if they are either yl-colorable 
or B-colorable, and ^i?-COLORABLE if they are both. 



Example 4.4. In Example 3.3 Ua = {x, z\, Z2, zs, •} and Sb = {y, z\, Z2, zs, ■}. Terms and 
equalities without occurrences of either x ox y are ^B-colorable. The term x ■ y and the 
equality x ■ Z2 = zi ■ y are not colorable. □ 

We extend the above definitions to edges of congruence graphs over AU B so that an 
edge {s, t) has the same colorability attributes as the equality s = t. Note that basic edges 
are always colorable. Finally, we define a path in a congruence graph (resp., a congruence 
graph) to be colorable if all edges in the path (resp., graph) are colorable. 

Example 4.5. The congruence graphs derived from graphs in Figures [T] and [2] by removing 
their disequality edges are all colorable. Among the vertices (which are terms), the half- 
filled ones are ^S-colorable, the dark ones are A-colorable but not -B-colorable, and the 
light ones are B- but not A-colorable; however, if we add the derived edge {x ■ Z2,zi ■ y) to 
the graph in Figure [2| it will not be colorable. □ 



GROUND INTERPOLATION FOR THE THEORY OF EQUALITY 



7 



For our purposes, the uncolorability of some congruence graphs is not a problem thanks 
to the following result. 

Lemma 4.6. If s and t are colorable terms and if A,B \= s = t, then there exist a term 
set T and a colorable congruence graph over {AU B)= and T in which s ~ t. 

Proof. This is essentially Lemma 2 of |YM05| . and the proof is constructive. Start with 
any congruence graph G with colorable vertices in which s ~ t holds. If there are uncol- 
orable edges, let e = {f{ui, . . . ,Uk),f{vi, . . . ,Vk)) be a minimal such edge in the deriva- 
tion order. Thus, the parent paths UiVi are all colorable, and each of them connects an 
j4-colorable vertex with a 5-colorable one. It follows that there exists an AS-colorable 
vertex Wi on each path UiVi (which may be one of its endpoints). The term f{wi, . . . ,Wk) 
is Ai?-colorable, so add it to the vertex set of G and replace e in G with the two edges 
(/(ui, . . . ,Uk),f{wi, . . .,Wk)) and {f{wi, . . . ,Wk),f{vi,.. . ,Vk)), both of which are colorable. 
Now repeat the process until all uncolorable edges of G are eliminated. The set T is the 
final set of vertices of G. □ 



Note that the proof of Lemma |4.6| provides an effective procedure for turning any 
uncolorable graph into a colorable one. Using a data structure for the congruence graph 
that also maintains for each derived edge a pointer to its parent paths allows a linear-time 
bottom-up implementation of the procedure. 

Example 4.7. Consider again the uncolorable congruence graph obtained by adding the 
derived edge {x ■ Z2,zi ■ y) to the graph in Figure [2| Using the procedure in the proof of 



Lemma 4.6 we can turn it into a colorable congruence graph by replacing the edge {x-Z2, zi-y) 



with the edges {x ■ Z2, zi ■ Z2) and {zi ■ Z2,zi ■ y). □ 



4.4. Colored Congruence Graphs. Assume (without loss of generality) that the literal 
sets A,B are disjoint. A coloring of a colorable congruence graph over (A U B)= is an 
assignment of a unique color ^ or i? to each edge of the graph, such that 

• basic edges are assigned the color of the set they belong to, 

• every edge colored X has both endpoints X-colorable {X £ {A,B}). 

Thus, to color a colorable congruence graph, the only choice we have is with AB-colorable 
derived edges, and each of them can be colored arbitrarily. In the terminology of the 
interpolation game described later in ^ this means choosing which prover derives an AB- 
equality in a situation when either of them could do it. In Figure [3]^b,c) we have two colored 
congruence graphs. They differ only in the coloring of (/(Z3), f{zi)) — the only derived edge 
with ^i?-colorable endpoints. 

In a colored graph, we can speak of A- PATHS (whose edges are all colored A), and 
i3-PATHS. There is also a color-induced factorization of arbitrary paths, where a factor 
of a path vr is a maximal subpath of vr consisting of equally colored edges. Clearly, every 
path can be uniquely represented as a concatenation of its factors, the consecutive factors 
having distinct colors. 
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Xj Z} Z2 X2 


Xj Z] Z2 X2 


Xj Z} Z2 X2 


Zj Z4 
X3 Z5 Zf, X^ 


Z, Z4 

Z5 \ / Zf, X^ 


Zj / Z4 
Xj \ / Zf, X^ 




yr^z~j\x~j\x~zr^y. 




(a) 


(b) 


(c) 



Figure 3: Congruence graphs over {A U B)=, with A and B from Example 4.3 The con 



nection between a derived edge and its parent is indicated by a pair of arrows. 



4.5. The Interpolation Algorithm. Our goal is to construct an interpolant for the pair 
of sets A and B of ground literals that are jointly inconsistent in EUF. The algorithm pre- 
sented below relies on the results in the previous subsection which guaranteed the existence 
(and computability) of a disequality s ^ t m. Ayj B and a colored congruence graph G over 
{Ayj B)= such that s and t are connected in G. 

A path uv va. a congruence graph represents the equality u = v between its endpoints, 
summarizing the reflexivity, symmetry and transitivity inferences encoded by the path. The 
algorithm presented below builds an interpolant as a conjunction of Horn clauses whose 
atoms are 74i?-colorable equalities, each summarizing an A-path or a B-path of the graph 
G. The algorithm minimizes the number of such equalities by breaking paths only along 
their color-induced factorization (as opposed to other, finer partitions). 

We will write [[tt]] to denote the equality represented by the path vr. More generally, if 
P is a set of paths, [PJ is the corresponding set of equalities. For convenience, we will take 
^uuj to be true, instead of ti = u, for each empty path uu. (Similarly for [PJ, when P = 0.) 

For every path vr in a colored congruence graph G, we define below the associated 
P-PREMISE SET 13{tt), the A- JUSTIFICATION J(7r), and the path interpolant I(vr). Intu- 
itively, for an ^-path vr, the P-premise set collects all the maximal P-paths in G that allow 
the construction of vr (by connecting ancestors of edges in tt); the ^-justification is an impli- 
cation from all the equalities represented by vr's P-premises to [[vr]], capturing the fact that 
[[tt] is a consequence of A and all those equalities; the path interpolant is the conjunction 
of vr's 74-justification together with the path interpolants for each of its P-premises. For a 
P-path vr, the P-premise set is simply {vr}; the A-justification is, trivially, [[vrj =^ [[vrj (and 
actually never used); the path interpolant is the conjunction of all the path interpolants of 
vr's parent paths. 

For instance, for the congruence graph in Figure [3](b), ^3(2324) = {^i^}, 7(23^4) = 
(zi = Z2 ^ = 24), /(zpfi) = /(5pi) = {zi = Z2 ^ z^ = Z4), B{zYz^) = {zpf^}, 
Jizfzs) = iz5 = zq=> zt = zs), and lizfzs) = (^5 = zq ^ zj = zg) A {zi = Z2 => z^ = Z4). 
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J(vr) 
I(vr) 



|J{;S(c7) I o" is a factor of tt} if vr has > 2 factors 

{vr} if vr is a i3-path 

|J{5((j) I (T is a parent of an edge of vr} if vr is an A-path 



/\{/(o") I cj is a factor of vr} if vr has > 2 factors 

1/\{/((7) I cr is a parent of an edge of vr} if vr is a i3-path 
J(7r) A /\{Ii(T) I a € fi(7r)} if vr is an ^-path 



(4.1) 
(4.2) 
(4.3) 



Empty parent paths a in the definitions of B{tt) and /(vr) can be ignored because 
la} = J{(t) = I{a) = true when a is empty. 

We also need a modified interpolant function expressed in terms of I as fohows. The 
argument path tt is first decomposed as vr = 7ri^7r2, where 6 is the largest subpath with 
S-colorable endpoints, or an empty path if there are no i?-colorable vertices on vr; then 

I'{tt) = 1(9) A f\{I{T) I r G B{7Ti) U 6(712)} A ( Alfi(^i) U B{7T2)j (4.4) 

It is not difficult to see that B, J, I and /' are all well defined and computable. In 
particular, /' is well defined because 7ri,6,TT2 are uniquely determined by tt if is not 
empty, and if 9 is empty, the way we write vr as vrivr2 is irrelevant. Note that when ir = 6, 
we have I'(vr) = /(vr) A -■[vr]]. 

The EUF ground interpolation algorithm, given as input two jointly inconsistent 
(disjoint) sets A, B of literals, proceeds as follows. 

(il) Run the congruence closure algorithm to find a congruence graph G over {A[JB)= and 
a disequahty (s / t) G ^ U 5 such that s ~ t in G ]p?T|p^. 



(il) Modify G as necessary to make it colorable [^4.3 , then color it ]^4.4 



(il) If (s 7^ t) E B, return /(si); if (s / t) G A, return /'(st). 



Example 4.8. Let us run the algorithm for A, B in Example |4.3[ using the colored con- 
gruence graph in Figure |3]^b). Since yi / y2 G B, the interpolant is computed by applying 
I to WS2- 

I{ym) = Hyizr) a liW^s) a liWm) = true A I{zfZ8) A true 

= I{zfzE) = J{zfzi) A I a £ BizfzE)} 

In turn, B{zyZs) = B^x^xl) = B{lrfsz^)U B{z^zq)U B{zQXi) = 0U{z5Zq}U0 = {z^zq}. Thus, 
J{ztZs) = (z5 = zq ^ zi = zs). Continuing the main computation: 

limrn) = JizfzE) A i{z^) 

= J{zfzE) A J(zpl) A f\{I{a) I a £ B{z^)} 
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Now, S(zpj) = B{xTx^) = B{xTzT) U 13{zYz^) U B{z^) = U {zYz^} U = {zTz^}. Thus, 
J(z3Z4) = (zi = Z2 ^ = Z4). Back to the main computation again, 

liWm) = J (ztz^) a J (5pi) A I{zTz2) = J {zfzs) A J (^PJ) A true 

= (2:5 = Z6=^ Zj = Zs) A (Zi = 22 =^ Z3 = Z4) 

The reader can verify that using the graph in Figure |3]^c) results in a different inter- 
polant: 

HyTm) = (Z5 = f{z3) A Z6 = fizi) Azi = Z2) ^ Z7 = Zs- 

4.6. Correctness. Our main correctness results can be expressed as follows. 

Theorem 4.9. With any jointly inconsistent sets A,B of EUF literals as inputs, the EUF 
ground interpolation algorithm ( ^4-^ terminates and returns an interpolant for A,B that 
is a conjunction of Horn clauses. □ 

To prove the theorem we need to introduce some additional notions and notation. For 
the rest of the section let G be a colored congruence graph. 

The termination of our recursive definitions and other inductive arguments are proved 
using a well-founded relation ^ over paths of G. Define o" -<i vr to hold whenever: 

• vr has more than one factor and a is one of them, or 

• fj is a parent path of an edge of vr. 

Then, define -< as the transitive closure of -<i. It is not difficult to see that the relation -< 
is well-founded. Note that minimal elements under -< are the paths all of whose edges are 
basic and of the same color. 

The following equations redefine the set B{ti) of S-premises and introduce the analogous 

set ^(vr) of ^-PREMISES. 

^(vr) = {yl-factors of vr} U ^({parent paths of S-edges of vr}) (4-5) 
B{t:) = {i?-factors of vr} U ^({parent paths of ^-edges of tt}) (4.6) 

Here and in the sequel, we use the convention f{P) = Ul/l"^) I ^ ^ -f} fo'^ extending a 
set- valued function / defined on paths to a function defined on sets of paths. Observe that 



(4.6) is just a restatement of (4.1). Also, the arguments in the recursive calls are smaller 
than TT under the relation ^, so termination is guaranteed. 

The basic properties of A are collected in the following lemma. The analogous properties 
of B follow by symmetry. 

Lemma 4.10. Let vr he an arbitrary non-empty path in G. 

(1) If TT is an A-path, then A{'tt) = {it}; otherwise, a ~< it for every a G ^(vr). 

(2) //cj e ^(vr), then A{a) C ^(vr). 

(3) If the endpoints of vr are B-colorahle, then the endpoints of all paths in A{'n) are AB- 
colorahle. 

Proof. All three parts are proved by well-founded induction. 

('ij If vr is an ^-colored path, then vr is the only element of ^(vr) (by definition). If vr 
is not an A-colored path and r is an element of ^(vr), then r is either an A-factor of vr and 
so r -< vr holds, or r G A{a) for some parent o" of a -B-edge of vr. In the latter case, t < -k 
holds because of a ^ vr and the consequence r ^ a of the induction hypothesis. 
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(2) If fj is an A-factor of vr, then A{a) = {a} C ^(vr). If cj G ■A.{t) where r is a 
parent path of a i?-edge of vr, then A{a) C A{t) C ^(vr), the first inclusion by induction 
hypothesis, the second from the definition of A. 

(3) Since parent paths of any B-edge must have S-colorable endpoints, for the inductive 
argument we only need to check that every ^-factor of a path vr with i?-colorable endpoints 
has ^i?-colorable endpoints. Indeed, ^-colorability of endpoints of A-factors is obvious. 
For i?-colorability, observe that an endpoint of an j4-factor of tt is either also an endpoint 
of a i?-factor of vr, or an endpoint of vr itself. □ 



The following lemma justifies the names A-premises and B-premises. Intuitively, B- 
premises are the -B-paths whose summaries, together with A, entail [vr]]. Dually, ^-premises 
are the A-paths whose summaries, together with B, entail [vr]]. 

Lemma 4.11. A, lB{7r)} \= {tt} and B, lAiir)} |= {tt} for every path vr in G. 

Proof. We prove the first claim only, by well-founded induction based on -<. Viewing vr as 
the concatenation of its i?-factors and A-edges, we have by transitivity 

[B-factors of vrj, [[^-edges of vrj |= [vrj 

and then, since A |= [ej for every basic A-edge e (by definition of edge coloring), 

A, [[i?-factors of vrj, [derived ^-edges of vrj |= [vr]]. 

For every derived edge e we have l]parents of ej \= [ej. Thus, 

A, j]i3-factors of vrJ, J]parents of A-edges of vrJ |= j]vr]], 

so it suffices to prove A, |];S(vr)]] |= J]o"]] for every a that is either a i?-factor of vr or a parent 
of an A-edge of vr. 

In the first case, the claim holds since a £ B{tt). In the second case, we have o" ^ vr, 
so the induction hypothesis gives us A, lB{a)} \= la}. To finish the proof, just use the fact 
B{a) C i3(vr), by Lemma [ilUt ii) . □ 

Define the cumulative set of premises (cf. f|6]) of a path vr as 

P(vr) = {tt} U P(i3(^(vr))) . (4.7) 
The termination of this recursive definition follows from Lemma 4.10[ i) . 
Lemma 4.12. For every path vr in G, I{it) = /\{J{cr) \ a G ^('P(vr))}. 
Proof Let P'(vr) = A{V{tt)). From (|47|), we have 

V'{tt) = A{tt) U V'{B{A{7r))) (4.8) 

It suffices to check that 

[j{V'{a) I fj is a factor of vr} if vr has > 2 factors 

■p'(vr) = < \J{V{a) I fj is a parent of an edge of vr} if vr is a i?-path 
^{vr} U U{'P'(o") I 0- G S(vr)} if vr is an ^-path 

For the first case, suppose vr = vri • • • vr^ is the factorization of vr. By definition of A, we 
have ^(vr) = ^(vri) U • • • U ^(vr^). The desired equality V'{tt) = V'{tii) U • • • U P'(vrfc) then 
follows from (4.8). 
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Assume now that tt = ei • • • Cfc is a i?-path. By definition of A, we have ^(vr) = 
^(£^1) U • • • U A{Ef^), where Ei is the set of parent paths of the edge for i = 1, . . . , fe. 
Again, the desired equahty ^'(vr) = V'iEi) U • • • U V'{Ek) follows from (jXs]). 

Finally, assume that tt is an ^-path. Now A{Tr) = {vr} and so V'{tt) = {vr} iJV' {B{tt)), 
again by (Ob. □ 



Lemma 4.13. B,I(tt) 



for every path tt in G with B-colorable endpoints. 



Proof. We argue by induction along -<. Let a be an arbitrary ^-premise of vr and r an 
arbitrary S-premise of a. The endpoints of r are S-colorable, because in general, every 
S-premise of any path is a S-factor of some path, and every S-factor of any path has B- 
colorable endpoints. Thus, the induction hypothesis applies to r and we have B, I{t) |= [[rj. 
Prom equation (4.8) we have V'{t) C V'^tt), so we can derive /(vr) |= /(r) using Lemma 4.12 
Thus, B,I{'k) 1= \t\ for every r G B{a). By Lemma 4.12[ /(vr) contains J(cr) as a conjunct; 
therefore, i?,/(vr) \= \a^. Since a here is an arbitrary element of .4(vr), the second claim of 



Lemma 4.11| finishes the proof. 



□ 



Proof of Theorem 4-9 . The algorithm terminates because all pertinent functions have been 
proven terminating. 

Let s ^ the the disequality obtained in the step (il) of the algorithm. Let vr be the path 
st, and let st = vri0vr2, as in the definition of /'(vr). The two cases to consider, s ^ t £ B 
and s ^ t £ A, will be referred to as Cases 1 and 2 respectively. Let 99 be the returned 
formula — I (it) in Case 1; /'(vr) in Case 2. 

(i) (f is an AB-colorahle conjunction of Horn clauses. For any factor o" of vr with AB- 
colorable endpoints, J(ct) is an ^i?-colorable Horn clause. If vr has /^-colorable endpoints, 
then so do all paths in P(vr) and so, by Lemma 4.10[ iii), all paths in A{V{tt)) have ^45- 
colorable endpoints. With Lemma 4.12, this proves Case 1. For Case 2, observe that if is 
empty, then I{9) = \6\ = true; otherwise, 9 has A/?-colorable endpoints. Also, vri and vr2 
are j4-paths, so by the dual of Lemma 4.10[ iii), all paths in ;B(vri)U;B(vr2) have A/?-colorable 
endpoints. These facts suffice to derive the proof of Case 2 from the already proved Case 1. 

(ii) A 1= Lp. By the first claim of Lemma |4.11| A |= J(ct) holds for every path a. This 
suffices for Case 1. For Case 2 then, we only need to check that the last conjunct of /'(vr) 
is implied by A, which amounts to showing A, \B{t:i)\, \B{Ti2)\ |= ~^\&\- This indeed follows 
from the first claim of Lemma 4.11, the transitivity entailment [vrij, \9^, \tt'2\ |= [TrJ, and 
the assumption -^\Ti\ G A. 

(Hi) B,(p 1= false. In Case 1, we have -■[[vr]] G /?, so Lemma |4. 13| finishes the proof. In 
Case 2, Lemma [413] implies B, I' (it) ^ 16} and B, r{-K) \= I{t) for every r G ^(vri) US(vr2). 
These consequences of /? U /'(vr) contradict the last conjunct of /'(vr). O 



5. Comparison with McMillan's Algorithm 

Our EUF ground interpolation algorithm is, as far as we know, the only alternative to 
McMillan's algorithm |McM05b] . The latter constructs an interpolant for A.,B from the 
proof oi A,B \= false derived in a formal system say) with rules for introducing hypothe- 
ses (equalities from AU/?), reflexivity, symmetry, transitivity, congruence, and contradiction 
(deriving false from an equality and its negation). The algorithm proceeds top down by 
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X, z, y, Z2 




Figure 4: A colored congruence graph for A = {xi = zi,zs = f{xi),f{z2) = X2,X2 = z{\ 
and B = {zi = yi,yi = Z2,y2 = Z3,Zi = 2/3, /(2/2) / fivs)} with two derived 
edges {f{xi),f{z2)) and (/(y2), /(ys))- 



annotating each intermediate derived equahty u = v (or false in the final step) with a 
quadruple of the form [u' ,v' , p,^], where u',v' are terms and p, 7 are ^i?-colorable formu- 
las. The annotation of each derived equality is obtained from annotations of the equalities 
occurring in the premises of the corresponding rule application. The exact computation 
of annotations is specified by 11 rules, each corresponding to a case (depending on colors 
of the terms involved) of one of the original six rules. An invariant that relates a derived 
intermediate equality with its annotation is formulated and all 11 rules are proved to pre- 
serve the invariant. The invariant implies that if [u' ,v' , p,^] is the annotation of false, then 
p 7 is an interpolant for A, B. It can be shown that p is always a conjunction of Horn 
clauses, and 7 is a conjunction of equalities and at most one disequality. 

There is a clear relationship between proofs in the formal system £ and congruence 
graphs from which our interpolants are derived. The main difference is that in congruence 
graphs, paths condense inferences by reflexivity, symmetry, and transitivity. A congruence 
graph provides a big-step proof that, if necessary, can be expanded into a proof in the 
system £. 

In Example 3.1 (Figure[T|a)) our algorithm looks at the path yjpi, summarizes its only 
A-factor, producing the interpolant zi = z^. McMillan's algorithm processes the path edge- 
by-edge, eagerly summarizing A-chains with AS-colorable endpoints, so that the interpolant 
it produces is zi = Z2 /\ Z2 = f{zz) A /(Z3) = 24. 

For the second difference, consider Example 4.3 (Figure [sj^b)) where McMillan's algo- 
rithm produces an entangled version {zi = Z2 A (2:3 = Z4 =^ 25 = zg)) =^ -23 = ^4 A 2:7 = 



of our interpolant {zi = Z2 ^ z^ = Z4) A (25 = zq ^ zj = zg), computed in Example 4.8 In 



general, McMillan's algorithm accumulates -B-justifications (duals of our J{cr)) in the p-part 
of the annotation and keeps them past their one-time use to derive a particular conjunct of 

7- 

The third difference is in creating auxiliary AB-terms ("equality interpolants", in the 
terminology of Yorsh and Musuvathi |YM05j ) to split derivations of equalities in which one 



side is not 74-colorable and the other is not i?-colorable, as in Example 3.3 We introduce 



such terms in the preliminary step (i2) of our algorithm only when required to make the 
congruence graph colorable. In contrast, McMillan's algorithm introduces these terms "on- 
the-fly", as in the example illustrated in Figure |4j When it derives the equality xi = Z2, 
its annotation is [zi, 22, true, true], then when it uses the congruence rule to derive f{xi) = 
f{z2), this equality gets annotated with [f{zi), f{z2),true, true], and the term f{zi) becomes 
part of the final interpolant Z3 = f{zi) A f{z2) = Z4. On the other hand, our algorithm 
recognizes the edge (/(xi), /(Z2)) as yl-colorable and does not split it; the interpolant it 
produces is zi = 22 =^ -^3 = ^4- 
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Interpolant Size {# Nodes) Resolution Proof Size (# Nodes) 
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Figure 5: DPT vs. MathSAT on 45 benchmarks from the MathSAT Ubrary derived by 
partitioning unsatisfiable SMT-LIB benchmarks |BSTllj . 

The final difference is in flexibility. McMillan's algorithm is fully specified and leaves 
little room for variation. On the other hand, the actions in the step (i2) of our algorithm 
are largely non-deterministic. Our current implementation chooses to minimize the number 
of vertices in the colorable modification of F, and then colors the graph with a strategy 
that eagerly minimizes the number of factors in the relevant paths. Other choices are yet 
to be explored. 

5.1. Experimental evaluation. In general, our interpolation algorithm produces smaller 
and simpler interpolants. For experimental confirmation, we used the state-of-the-art im- 
plementation of McMillan's algorithm in MathSAT |CGS08| and compared it against our 
interpolation-generating extension of the DPT solver |Var08] . 

Two other relevant components — the propositional interpolation algorithm, and the 
algorithm for combining propositional and theory interpolation in a DPLL(7') framework 
|McM05bl ICGSOSj — are the same in MathSAT and DPT, and therefore unhkely to substan- 
tially affect the comparison. The last factor to be accounted for in this comparison is the 
size of the resolution proofs derived from the DPLL search within each solver. Since these 
sizes are comparable, we can eliminate differences in propositional reasoning as a cause for 
DPT^s producing smaller interpolants. 

We ran both solvers on 45 EUF interpolation benchmarks selected from the set of 100 
that are used in |CGS08j . (In the remaining 55 benchmarks, either all formulas in A are 
i3-colorable, or all formulas in B are A-colorable, so one of the formulas A, -^B is an easily 
obtained interpolant.) Both solvers computed 42 interpolants, timing out in 100s on the 
same three benchmarks. Runtimes were comparable, with DPT being slightly faster. Fig- 
ure [5] shows the sizes of interpolants produced: DPT interpolants are, on average, 3.8 times 
smaller, in spite of DPT proofs being, on average, 1.7 times larger. 

While these experimental results confirm the claim that our algorithm produces smaller 
interpolants, we observe that formula size is not necessarily a good metric, given the ability 
of modern SMT-solvers to process large formulas quickly. It could be argued that some 
measure of logical strength would be better instead. The case for that, however, is not 
obvious either. To start, the only reasonable way to compare two first-order logic formulas 
</?i and (/32 for logical strength is to check whether one of the two entails the other in the 
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theory (i.e., whether ipi \=j- (p2 or (^2 |=T V^i)- Unfortunately, entailment is not a total 
relation and so it is possible to have incomparable interpolants for the same partition j4, B 
of a set of formulas. Finally, even with comparable invariants, whether the stronger or the 
weaker one is better depends on the specific application using them; worse still, for other 
applications, such as interpolation-based predicate abstraction, it is arguable that logical 
strength (or formula size for that matter) is of any importance, since interpolants are simply 
mined for useful predicates. Further work is needed to identify useful evaluation metrics for 
interpolants and then see if the flexibility of our algorithm, or a suitably modified version 
of it, can be used to produce better interpolants according to some of those metrics. 

6. INTERPOLATION AS A COOPERATIVE GAME 

Our results about EUF interpolation can be generalized to a wider class of theories T in 
terms of a cooperative interpolation game between two deductive provers for T — possibly 
two copies of the same prover. The game metaphor suggests a simple and general mech- 
anism for producing interpolants from sets of formulas and theories that satisfy certain 
requirements. We define this mechanism and prove its properties in |6.2| and §6.3[ after 
giving an informal general description of the interpolation game. 

For the rest of the section, let 7~ be a first-order theory of signature 17, and let A and 
B be two disjoint sets of formulas possibly containing free symbols, i.e., predicate and 
function symbols not in S. For convenience, and without loss of generality, we consider 
only formulas with no free variables. Let Z"/ be the shared signature, the expansion of 
S with the free symbols occurring in both A and B. 

6.1. The interpolation game. The participants are an A-prover and a i?-PROVER which 
incrementally construct a set Sa and a set Sb of Z'z-formulas. The game starts with 
Sa = Sb = and proceeds in rounds so that at each round one of the following happens: 

• the A-prover adds to Sa one or more i7/-formulas a such that A, f3i, . . . , Pn |=T for 
some Pi,..., /3m G Sb, the i?-PREMiSES of a; 

• the i?-prover adds to Sb one or more i7/-formulas f3 such that B,ai, . . . ,an |=t for 
some ai, . . . , a„ e Sa, the ^-PREMISES of f3. 

The game ends successfully when the S-prover adds false to Sb- 

As we discuss below, a T-interpolant for A and B can be generated from a successful 
run of the game by tracking the i?-premises of each formula in Sa and the A-premises of 
each formula in 5^. 

Note that, as described, the interpolation game involves arbitrary theories and input 
sets A and B. Also, the game does not have to use two provers literally, li AL) B has a 
local refutation (see later) in the theory T, it is possible to extract from that refutation a 
successful run of the game from which a T-interpolant of A and B can then be generated. 

For some theories and classes of input formulas the game admits complete strategies, 
guaranteed to end the game when A and B are jointly T-unsatisfiable. Depending on the 
theory and the class of input formulas, these strategies can be considerably restrictive in the 
choice of formulas to propagate from one prover to the other (i.e., formulas to add to Sa 
and Sb). For instance, when A and B are sets of ground literals and the theory is convexrl 



A theory is CONVEX if L \=j- pi V ■ • ■ V pfe implies L \=j- pi for some i, where L is any set of ground 
hterals and the pi are any positive literals. 
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Figure 6: A long derivation. (Example 6.3) 



it is enough to propagate just ground atomic formulas in all rounds of the game. In that 
case, all interpolants computed will be conjunctions of ground Horn clauses. 



The interpolation method described in ^4.5 for the theory of equality (which is con 



vex) can be seen as a customized implementation of the interpolation game, with formula 
propagation restricted to (positive) equalities. A colorable congruence graph is a compact 



representation of a local refutation, and the interpolation function / defined in ^4.5 can be 
understood as generating the interpolant from a successful run of the game extracted from 
the local refutation. 



Example 6.1. Looking back at Example 3.1 in terms of the interpolation game above. 



we can see that in each of the three cases presented in the example there is a successful 
interpolation game with two rounds. In the first round, the A-prover derives a conjunction 
of literals in the shared signature (respectively, zi = z^, z\ = z^ f\ /(-zs) = 2:4 A /(Z2) = zj, 
and z\ = Z2 f\ fiz^) 7^ 24 A f{z2) = z^) that the i?-prover uses them to derive false. □ 



Example 6.2. For the sets A and B in Example 3.2, there is a game with three rounds 
where uq = vq is initially derived by the i?-prover, ui = vi is derived next by the ^-prover, 
and then false is derived by the i?-prover. O 

Example 6.3. Generalizing the previous example, consider this matrix — organized set of 
literals: 

Xi-Uo= Ul X2-Ui= U2 Xn ■ Un-l = Un , 

Un = Vn ... Un ¥^ Vn 

Xi-VQ = Vi X2-Vi= V2 Xn ' fn-1 = 

Let A be the set of equalities occurring in the odd-numbered columns (with columns counted 
starting from 1) of this matrix, and B be the set of the remaining equalities; see Figure |6j 
The shared symbols are uo,vo, . . . ,Un,Vn, the symbols local to A are X2,X4, . . and the 
symbols local to B are xi, X3, . . . 

A run of the interpolation game takes n + 2 rounds. It begins with the ^-prover adding 
uq = Vq to Sa- Then, using the equalities from the second column, the S-prover can derive 
Ul = vi, and add it to Sb- Now, the ^-prover can use this equality together with equalities 
from the third column to derive U2 = V2 and add it to Sa- Assuming n is even, the last 
equality Un = Vn will be derived by the ^-prover, after which B derives false. Collecting 
justifications of all equalities derived by A, we obtain the interpolant 

{uq = Vq) a {ui = Vi ^ U2 = V2) a- ■ ■ a (Un-l = Vn-1 =^ Un = Vn) ■ 

□ 
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Remark 6.4. The well-known method for combining decision procedm'es due to Nelson 
and Oppen |N079j is essentially a version of the interpolation game. The main differences 
are that in the Nelson-Oppen method (i) the input sets of formulas Ai and A2 need not 
be jointly T-unsatisfiable; (ii) the goal is not to produce interpolants for Ai and A2 but 
just to check the 7~-unsatisfiability of AiL) A2; (iii) T is the union of two signature-disjoint 
theories 7i and Ti; (iv) each formula Ai is built from the symbols of 71 and free constants; 
(v) each ^j-prover works just over Ti instead of the whole T; (vi) additional restrictions on 
71 and Ti guarantee termination even when Ai U A2 is 7~-satisfiable. 

A description of a Nelson-Oppen combination framework in terms similar to our inter- 
polation game is given by Ghilardi |Ghi05] . D 

6.2. Extracting interpolants from interpolation runs. To show how to generate T- 
interpolants from runs of the interpolation game we start by formalizing the notion of a 
run. 

Definition 6.5. A T-interpolation run for A and i? is a triple {Sa,Sb,^) where Sa 
and Sb are two disjoint finite sets of i7/-formulas and C is a well-founded (partial) ordering 
on Sa U Sb with associated computable functions Pb ■ Sa ^ 2^^ , Pa ■ Sb ^ such 
that: 

(1) A, P_B(a) |=T and /3 C a for all /3 G PB(a); 

(2) B, Pa{P) |=r /5 and a C /3 for ah a G Pa{P)- 

A T-interpolation run {Sa, Sb, C) is SUCCESSFUL if false G 5_b. 



Given a T-interpolation run {Sa, Sb, C), we extend from Sa to 2'^^ as done in ^.6 
that is, for all S" C 5a, 

PB{S) = \J{PB{a)\aeS} . 
We extend P^ from 5^ to 2'^^ in a similar way. Then, for all /? G Sb let 

P(/3) = m U \J{P{f3') I 13' G Pb(Pa(/3))} . 
Extending P to 2^^ as done with P^, we can write the definition of P more compactly as 

P(/3) = {/3}uP(Pb(Pa(/3))) . 
Finally, we define the (computable) function Z from Sb to the set of i77--formulas such 

that 

= \J{PB{a) ^ a I a G Pa(P(/3))} • 
This function returns PARTIAL T-INTERPOLANTS in the following sense. 

Lemma 6.6. Let {Sa, Sb, C) be a T-interpolation run for A and B and let X he defined as 
above. Then, for all /3 £ Sb, 

(1) A 1(13); 

(2) B,I{p) \=r(3. 
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Proof. We prove both claims by well founded induction on C By definition, P(/3) = {/3} U 
P(/3i) U • • • U P(/3,,) where {A, . . . = Pb(Pa(/3)) with A: > 0. Then, 

= U{Pi?(«)^a|aePA({/3}UP(/3i)U---UP(/3fe))} 

= U{Pi?(«) ^ a I a e P^(/3) U Pa(P(/3i)) U • • • U PA(P(/3fc))} 

= U{Pb(«) ^ a I a G P^(/3)} U UU{Pi?(«) ^ « I a G PA(P(ft))} 

= U{PB(«)^«|aePA(/3)}uU2:(ft) 

To prove Claim (1), we check that every element of X(/3) is entailed by A. Indeed, 
A |=7-X(/3j) holds by the induction hypothesis, and A \=j- P_B(a) =^ a follows directly from 
the defining property of P^. 

The defining property B,Pa{I3) \=t P of Pa reduces proving Claim (2) to proving 
B,I{(3) 1=7- a, for every a G Pa(/3)- Since (P_B(a) =^ a) is in X(/3), it suffices to prove 
that B,I{13) 1=7- Psia)- And indeed, P_B(a) is a subset of . . . ,(3k}, and B,I{(3) \=j- f3i 
holds by induction hypothesis. □ 



Lemma 6.6 is the induction vehicle for the following main result. 

Theorem 6.7. Let {Sa, Sb, C) be a successful T -interpolation run for A and B and let I 
be defined as above. The formula /\X(false) is a T-interpolant of A and B. 

Proof. Since false G Sb, we can instantiate Lemma |6.6| with f3 equal to false. The free 
symbols occurring in I(false) are shared by A and B because, by construction, I returns 
Z'z-formulas. D 



6.3. Interpolation runs from local refutations. The next question is how to construct 
successful interpolation runs for A and B. One way is to extract them from proofs of T- 
unsatisfiability of vl U S in a suitable proof system. We define a fairly general notion of a 
proof system and show that any refutation of vl U -B in the system that is local in the sense 
of Jhala and McMillan |JM06] contains a successful interpolation run. 

6.3.1. Proofs and proof systems. A proof rule is a binary relation between finite sets of 
formulas and formulas. Any pair ipi, . . . ,ipn\- (p, with n > 0, in a proof rule, usually written 

as 

■■■ 



is an INFERENCE STEP with PREMISES (^i, . . . and CONCLUSION if. The conclusion of 
an inference step with an empty set of premises is an axiom. A proof system is a set of 
proof rules. A proof rule is sound with respect to a theory T if ^pi, ■ ■ . ,ipn \=T V fo^ each 
inference step 991, ...,(/?„ h 99 of the rule. 

Definition 6.8. For every proof system TZ, formula if and set of formulas S, a proof of 
p FROM 5" IN 7^ is a labelled tree defined inductively as follows. 

(1) If 93 G S", the one-node tree with root labelled p is a, proof of ip from S in TZ; 

(2) if (y9i, . . . , pn P is an inference step of TZ and Dj a proof of pi from S in TZ for 
i = 1, . . . ,n, then the tree D with root p and immediate subtrees Di, . . . , D„ is a proof 
of (f from S in TZ. The roots of Di, . . . , D„ are the parents of the root of D. 

A REFUTATION of 5 in 7^ is a proof of false from 5" in 7^. □ 
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In the following, we will identify nodes of a proof with their labels when this does not 
cause confusion. Observe that if all the rules of TZ are sound with respect to a theory T, 
then S 1=7- if for each proof in 7^ of a formula ip from a set of formulas S. In particular, 
any set of formulas that has a refutation in TZ is T-unsatisfiable. 



Extending the terminology introduced in ^4.3, we say that an inference step in TZ is A- 
COLORABLE (resp., i?-COLORABLE) if the formulas in the inference step are all j4-colorable 
(resp., all i?-colorable) . We define a proof of a formula (p from ^ U S in 7^ to be LOCAL if 
every inference step in the proof is A- or i?-colorable. An example of local proof is shown 
in Figure [7} 

6.3.2. Constructing interpolation runs. Fix any proof system TZ that is sound for T. We 
show that from any local proof D from AU B in TZ, we can construct a T-interpolation run 
{Sa, 5*5, C) so that if D is a refutation then false G Sb- (Then, the function I can be used 



to produce a T-interpolant of A and B as shown in ^6.2 ) 

Let D be a local refutation of ^ U i? in 7^. Without loss of generality we can assume 
that (i) if two nodes of D have the same label, then they are roots of structurally identical 
subtrees of D, and (ii) the parents of false in D are all B-colorable. Local refutations 
that do not satisfy Requirement {ii) can be modified by replacing false with a new logical 
constant false' interpreted in the same way and then adding a final, S-colorable inference, 
false' h false. 

Define C as the relation on the labels of D such that (/9 C ■0 iff (/? is an ancestor of ip 
in D. By the assumptions on D, the (finite) relation C is acyclic. Hence, both C and its 
inverse are well founded. 

If we cut D at a node ip, we obtain two local proofs in TZ: a local proof of ip from AU B 
(the tree rooted at (p), and a local proof of false from AU B L) {(p} (the remaining tree, with 
same root as D and ip as one of its leafs). More generally, we can decompose D into several 
smaller local proofs by cutting it repeatedly at different nodes. 

Definition 6.9. A pair Ta,Tb of sets of nodes in D is a COLORING CUT of D if 

(1) all nodes in Ta U are Ai?-colorable; 

(2) Ta and Tb are disjoint, and false is in Tb; 

(3) for all a £ Ta and S TaU{B\Tb) with ip \Z a, there is a /? G Tb such that ■0 C /3 C a; 

(4) for all P £ Tb and tp G TbU{A\Ta) with ip \Z pi, there is a a S such that tp \Z a \Z /3. 

It is simple to verify that cutting D at the nodes of Ta U Tb, where Ta, Tb is a coloring 
cut, decomposes D into colorable proofs. More precisely, every resulting smaller proof rooted 
at a node of Ta (resp., Tb) consists of A-colorable (resp., i3-colorable) nodes. 

Example 6.10. Let T be some arbitrary theory with a signature consisting of the predicate 
symbols r,t and such that \=j- Vx.(r(x) =^ t{x)). Then, let 

A = {\/u.{p{u) A q{v,u) ^ r{u)), p{a), r{b) V q{fa,a)}, 
B = {\Jv.{s{v) Ar{v) r{fv)), Vx.s(x), ^r{b), ^t{fa)} . 

where p, q, a, b, f and s are non-theory symbols. The proof in Figure[7]is a local refutation of 
AL) B. The exact proof system used to build the refutation is not important here. Simply 
observe that each inference step is sound with respect to T, which shows that AU B is 
T-unsatisfiable. 
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r{b)yq{fa,a) I ^r{b) yjsjv) A r{v) ^ rjfv)) 

9{p{u)/\q{v,u)^r{u)) q{f^) Yf^^^ y{s{v) A r{v) ^ t{fv)) 



p{a) ^ r(a) 



V(r(x) ^ tifx)) 



p{a) => t{fa) 








p{a) 




tifa) 


^t{fa) 








false 





Figure 7: A local refutation D of AuB. The symbols r and t are from the theory's signature. 

Of the remaining symbols, p and q occur only in A, s occurs only in and a, h and 



/ occur in both. The boxed formulas are those in the coloring cut in Example 6.10 



A coloring cut of D is given by the sets 

Ta = {t{fa)} and Tb = {-r(6), Vx.(r(x) ^ false} . 

Note that the last inference step (the one with conclusion false) is both A- and i?-colorable. 
In the cut, however, it is essentially seen as a i?-colored step. □ 

Every coloring cut induces a successful interpolation run. 

Theorem 6.11. If Sa,Sb is a coloring cut, then {Sa,Sb, C) is a successful T -interpolation 
run for A and B. 



Proof. It is enough to define functions Pa and satisfying Definition 6.5 

For each a G Sa, let be the proof of a in the decomposition of D defined by the 
coloring cut Sa-,Sb- Define 

Pyl(a) = {/? G S'b I /3 is a leaf of Dq,} . 

Clearly, /3 C a for all /3 G P/i(a). To show that A, Pyi(o) |=T we show that every leaf of 
Dq is in ^ U Pa (a). Now, every leaf (p of Dq, is either a leaf of D (so an element of A U -B), 
or a cut node (an element of Sa U Sb)- Since 93 IZ a, it follows from the third defining 
property of coloring cuts, that ip ^ Sa ^ B (otherwise, we would be able to cut at a 
node between ip and a). Thus, p £ Sb ^ A. 

The function P^ is defined similarly. □ 



Example 6.12. The T-interpolation run induced by the coloring cut in Example |6.10 



can 



be described informally in terms of the interpolation game as follows. In the first round, 
the i?-prover adds to Sb the formulas (3i = ^r{b) and /32 = Vj;.(r(x) ^ t{fx)), each with an 
empty set of yl-premises {i.e., Pa(/3i) = Pa{P2) = 0). In the second round, the ^-prover 
adds to Sa the formula ai = t{fa), with P_B(ai) = {/3i,/32}. In the third and final round, 
the i?-prover adds false to Sb^ with PA(false) = {ai}. 
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The 7~-interpolant computed by the function X, defined in ^6.2, from this interpolation 
run is /3i A /32 =^ ai, as shown below. 

P(/3i) = {ai}UP(PB(PA(/3i))) = {ai}U0 

= {"1} 

P(^2)) = {/32}UP(Pb(Pa(/32)))) = {/32}U0 

= {/?2} 

P(false) = {false} UP(Pij(P^(false))) 

= {false} U P(PB(ai)) = {false} U P(/3i) U P(/32) 

= {false, /32} 

PA(P(false)) = PA(false)uP^(/3i)UPA(/32) = {ai}U0U0 
= {"1} 

X(false) = U{Pb(") ^ « I " e PA(P(false))} 

= {^1 A ^2 ^ cti} 

□ 

We stress that computing a coloring cut from local refutations is just one way to produce 
interpolation runs. For specific theories, other mechanisms are possible. A crucial point, 
however, is that local refutations always admit a coloring cut. In fact, with D and with C as 
defined in §6.3.2 a coloring cut of D is provided by the sets Sa and Sb defined inductively 



as follows over the set of Ai?-colorable nodes ip of D: 

(1) false G Sb; 

(2) if (/5 c /3 for some /3 G Sb, 93 is a leaf from A or has a non-i?-colorable parent, and if is 
C-maximal with these propertied then ip ^ Sa', 

(3) if C a for some a G Sa, 97 is a leaf from B or has a non-A-colorable parent, and ip is 
C-maximal with these properties, then ip £ Sb- 

Different coloring cut algorithms produce different interpolation runs, and therefore 
different interpolants. The inductive definition above aims at minimizing the cardinality 
of Sa U sJ^ and so is likely to produce smaller interpolants. If there is a need to find 
interpolants optimal in some other sense, one can hope that the problem will translate into 
a meaningful optimization problem for coloring cuts. 



7. Conclusion 

Our study of interpolation for the theory of equality was motivated by the central role this 
theory plays in SMT solving, and by the practical applicability of interpolant-producing 
SMT solvers in model checking. The algorithm we presented is easy to implement on top 
of the standard congruence closure procedure. It generates interpolants of a simple logical 
form and smaller size than those produced by the alternative method. 



2 



That is, there is no j4_B-colorable 95' with a non-_B-colorable parent such that ip \Z ip' \Z fi. 



In this sense, it is analogous to the congruence path factorization used in i 4.4 where each relevant path 
is broken into maximal subpaths consisting of equally colored edges. In both cases, the intent is to minimize 
the number of color switches, so to speak — the number of factors in one case and the size of the coloring cut 
in the other. 
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We identified congruence graphs as a convenient structure to represent proofs in EUF 
and to derive interpolants. The possibilities for global analysis and transformations of 
these graphs go beyond what we have explored. Our algorithm provides a basis for further 
refinement and multiple implementations. This flexibility may prove useful when the notion 
of interpolant quality is better understood. 

The heart of our algorithm — the generation of an interpolant from a suitably colored 
congruence graph — is not £'[/F-specific. We showed that behind it is a general interpolation 
game and a general mechanism for deriving interpolants from suitably colored (local) proofs. 
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